parlov-elicit 0.5.0

Elicitation engine: strategy selection and probe plan generation for parlov.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

//! C8 auth-challenge-informed producer/consumer chain.
//!
//! `ScdAuthChallengeProducer` parses the `WWW-Authenticate` header from 401/407
//! (`AuthChallenge`) exchanges, extracting scheme, realm, and scope parameters.
//! `ScdAuthChallengeConsumer` uses those values to construct a follow-up GET with
//! a syntactically valid but semantically wrong `Authorization` header, driving a
//! stronger auth error (401 with credentials, or 403) vs 404 for a nonexistent
//! resource — amplifying the existence differential.

use http::{HeaderMap, Method};
use parlov_core::{
    always_applicable, NormativeStrength, OracleClass, ResponseClass, SignalSurface, Technique,
    Vector,
};

use crate::chain::{Consumer, Producer, ProducerOutput, ProducerOutputKind};
use crate::context::ScanContext;
use crate::types::{ProbeSpec, RiskLevel, StrategyMetadata};
use crate::util::{build_pair, try_clone_headers_with};

static CHAIN_METADATA: StrategyMetadata = StrategyMetadata {
    strategy_id: "scd-auth-challenge-chain",
    strategy_name: "Auth-Challenge Chain (scope-manipulation probe)",
    risk: RiskLevel::Safe,
};

static CHAIN_TECHNIQUE: Technique = Technique {
    id: "auth-challenge-chain",
    name: "Auth-challenge-informed scope-manipulation chain",
    oracle_class: OracleClass::Existence,
    vector: Vector::StatusCodeDiff,
    strength: NormativeStrength::Should,
    normalization_weight: None,
    inverted_signal_weight: None,
    method_relevant: false,
    parser_relevant: false,
    applicability: always_applicable,
    contradiction_surface: SignalSurface::Status,
};

/// Parses `WWW-Authenticate` scheme, realm, and scope from 401/407 responses.
pub(super) struct ScdAuthChallengeProducer;

impl Producer for ScdAuthChallengeProducer {
    fn admits(&self, class: ResponseClass) -> bool {
        matches!(class, ResponseClass::AuthChallenge)
    }

    fn extract(&self, _class: ResponseClass, headers: &HeaderMap) -> Option<ProducerOutput> {
        let raw = headers.get(http::header::WWW_AUTHENTICATE)?.to_str().ok()?;
        let scheme = parse_scheme(raw);
        if scheme.is_empty() {
            return None;
        }
        let realm = parse_param(raw, "realm");
        let scope = parse_param(raw, "scope");
        Some(ProducerOutput::AuthChallenge {
            scheme: scheme.to_owned(),
            realm,
            scope,
        })
    }
}

/// Extracts the scheme token: the first whitespace-delimited or end-of-string token.
fn parse_scheme(raw: &str) -> &str {
    raw.split_ascii_whitespace()
        .next()
        .unwrap_or("")
        .trim_end_matches(',')
}

/// Finds `key="value"` or `key=value` in the header, returns the value.
fn parse_param(raw: &str, key: &str) -> Option<String> {
    let needle = key;
    // Walk through comma-separated params after the scheme token
    let params_start = raw.find(char::is_whitespace).unwrap_or(raw.len());
    let params = &raw[params_start..];

    for part in params.split(',') {
        let part = part.trim();
        let Some(rest) = part.strip_prefix(needle) else {
            continue;
        };
        let rest = rest.trim_start_matches(char::is_whitespace);
        let Some(rest) = rest.strip_prefix('=') else {
            continue;
        };
        let rest = rest.trim();
        let value = if rest.starts_with('"') {
            rest.trim_matches('"').to_owned()
        } else {
            rest.split_ascii_whitespace()
                .next()
                .unwrap_or(rest)
                .to_owned()
        };
        if !value.is_empty() {
            return Some(value);
        }
    }
    None
}

/// Converts a harvested auth challenge into one GET probe spec with a crafted
/// `Authorization` header using the extracted scheme (and realm for Bearer).
pub(super) struct ScdAuthChallengeConsumer;

impl Consumer for ScdAuthChallengeConsumer {
    fn needs(&self) -> ProducerOutputKind {
        ProducerOutputKind::AuthChallenge
    }

    fn generate(&self, ctx: &ScanContext, output: &ProducerOutput) -> Vec<ProbeSpec> {
        let ProducerOutput::AuthChallenge { scheme, realm, .. } = output else {
            return vec![];
        };
        let auth_value = build_auth_value(scheme, realm.as_deref());
        let Some(hdrs) = try_clone_headers_with(&ctx.headers, "authorization", &auth_value) else {
            return vec![];
        };
        vec![ProbeSpec::Pair(build_pair(
            ctx,
            Method::GET,
            hdrs.clone(),
            hdrs,
            None,
            CHAIN_METADATA.clone(),
            CHAIN_TECHNIQUE,
        ))]
    }
}

/// Produces a minimal, syntactically valid but wrong `Authorization` value.
fn build_auth_value(scheme: &str, realm: Option<&str>) -> String {
    match scheme {
        "Bearer" => match realm {
            Some(r) => format!("Bearer realm=\"{r}\""),
            None => "Bearer".to_owned(),
        },
        "Basic" => "Basic Og==".to_owned(),
        other => other.to_owned(),
    }
}

#[cfg(test)]
#[path = "auth_challenge_tests.rs"]
mod tests;